Remove sm4-128-cbc from stream ciphers; add sm4-128-ctr and sm4-128-gcm#3043
Open
Copilot wants to merge 2 commits into
Open
Remove sm4-128-cbc from stream ciphers; add sm4-128-ctr and sm4-128-gcm#3043Copilot wants to merge 2 commits into
Copilot wants to merge 2 commits into
Conversation
The review comment correctly identified that sm4-128-cbc cannot work as a stream cipher because the stream implementation only calls mbedtls_cipher_update() and never mbedtls_cipher_finish() for the final block, and CBC mode requires block-aligned input. Remove sm4-128-cbc from the stream cipher list entirely. sm4-128-ctr (CTR mode) is retained as it is a proper stream cipher mode. sm4-128-gcm is also added as an AEAD cipher (unrelated to the stream cipher issue).
Copilot
AI
changed the title
[WIP] Fix code based on review comment
Remove sm4-128-cbc from stream ciphers; add sm4-128-ctr and sm4-128-gcm
Jun 28, 2026
madeye
approved these changes
Jun 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sm4-128-cbcwas incorrectly added as a stream cipher. The stream cipher path only callsmbedtls_cipher_update()— it never callsmbedtls_cipher_finish()and has no padding support, so CBC mode will corrupt or truncate data for non-block-aligned payloads.Changes
src/stream.c/src/stream.h: Dropsm4-128-cbcentirely from stream ciphers. Addsm4-128-ctronly (CTR is a native stream mode).STREAM_CIPHER_NUM21 → 22. UpdatedSM4_128_CTR = 13define (shiftsCAST5_CFBand below by one), plus all parallel arrays (supported_stream_ciphers,supported_stream_ciphers_mbedtls,nonce_size,key_size).src/aead.c/src/aead.h: Addsm4-128-gcmas an AEAD cipher (SM4128GCM = 3). ShiftsCHACHA20POLY1305IETFto index 4.AEAD_CIPHER_NUM4 → 5 (6 with xchacha). AddsSM4128GCMfall-through in bothaead_cipher_encryptandaead_cipher_decryptalongside the existing mbedTLS GCM path.src/utils.c: Update usage text to advertisesm4-128-ctrandsm4-128-gcm.